Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
levap2013-03-28 10:43:09
Java
levap, 2013-03-28 10:43:09

Secure data handling in a multi-user WEB application?

I have a multi-user Spring-based web application that works with a database. Authentication and authorization of users is done through Spring-Security. I work with base through JDBC.
Let's take a simple situation - editing a certain entity. To do this, in the request parameters, we pass the identifier of this entity to the controller, load it from the database, fill out the form, edit and update it in the database.
The question is how to properly ensure the security of this operation, i.e. to control the ownership of the entity by the current user? Is there a standard Spring pattern for this?
Now in each DAO implementation, when fetching an entity, in addition to the key, I pass the user's name (obtained via principal.getName()) and control ownership in the sql query. Like this:

public void updateGroup(GroupEntity group, String user) {
    jdbcTemplate.update("UPDATE groups SET password = ?, name = ? WHERE group_id = ? AND user_id = ?", 
        group.getPassword(), group.getName(), group.getId(), user);
}

As the target entity moves away from the table containing users, you have to write more and more sophisticated queries. Maybe there is a better way?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
S
Sergey Sidorov, 2013-03-28
@levap

Everything can be resolved through Spring Security. Through Method Security Expressions. In the database, each entry must have an owner_id - a foreign key to the owner. The code in your example would look something like this:

@PreAuthorize("#group.owner == authentication.name")
public void updateGroup(GroupEntity group) {
    //
}

More complex options are also possible.

Report
S
SergeyGrigorev, 2013-03-28
@SergeyGrigorev

As an option, use separate namespaces, then the entities will not be available to unauthorized users even for reading (using system vulnerabilities where you forget to put a filter on the user). Then it will be something like

public void updateGroup(GroupEntity group, String usernamespace) {
        jdbcTemplate.update("UPDATE " + usernamespace + ".groups SET password = ?, name = ? WHERE group_id = ?", 
                group.getPassword(), group.getName(), group.getId());
}
<source>

Similar questions
E
e1s2015-05-26 11:24:41
How to get rid of ban (number of questions) on stackoverflow.com? 2Reply
D
del9937882017-06-05 11:04:18
Is it possible to put Windows home at work / in the office? 6Reply
I
Igor Alexandrovich2014-08-02 14:07:44
How does antivy work? 1Reply
A
Anatoly2016-08-18 15:47:13
Difference in java ee between inject in a class and using jsp:useBean? 0Reply
U
userS42019-01-20 21:59:38
Java 11, how to upgrade (macOS)? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question